All Posts

92 posts

Notifying Users of New Controls

Ever wonder when new controls are published for Policy Compliance?  You’re not alone.  With the rapid increase in Policy Compliance Control IDs (CIDs) over the past year, many customers wanted a more proactive notification of new content.  We have heard you loud and clear.  With the release of QualysGuard 6.16, users can now receive weekly or monthly email notifications for new and modified CIDs within Policy Compliance.

Setting Up Control Notification

Control Notification is not enabled by default. To receive email notifications for new and modified CIDs, perform the following steps:

  1. From the Tools section, select User Accounts
  2. Edit the User Account that wants to receive Control Notifications
  3. Click on Advanced
  4. Under Notification Options, select Weekly or Monthly for Latest Controls

Notification Options

Figure 1: Edit User: Latest Controls Notification

Receiving Control Notifications

After enabling Control Notifications, the user will receive an email summarizing the new and modified CIDs for Policy Compliance.

Control Notification Email

Figure 2: Control Notification: Email

In addition, a .CSV file is attached to the email with additional information.

Control Notification CSV

Figure 3: Control Notification: .CSV File

Demo

To see a demo of these steps, please view the Control Notification Demo.

Making Passwords More Secure

Even after you implement policy compliance checks to enforce best practices for strong passwords, your users can still create insecure passwords. They may not be able to create passwords with eight or fewer characters or with only alphabetical characters. But as long as their passwords conform to the policies you implement, your users can create passwords that match their user name or company name. And those passwords are among the easiest to guess.

To prevent this type of password vulnerability, your policy compliance scans need to check the actual passwords of your users, not just the rules governing the passwords they can create. Three of these password auditing checks are now available in QualysGuard 6.15 Update:

  1. CID 3893Empty passwords
    This control identifies user accounts with empty passwords.
  2. CID 3894 – Password matches user name
    This control identifies passwords that match the actual user name or the user name in upper- or lower-case.
  3. CID 3895 – Password matches an entry in the password dictionary
    This control identifies user accounts where the password is equal to an entry in the user-defined password dictionary.

To access your passwords, the scanning engine uses a dissolvable agent on Windows systems to collect user password information from target hosts. The dissolvable agent securely sends the passwords to the scanner for analysis and securely erases its copy of passwords after it completes the tests.

Using Password Auditing

Enable Password Auditing

Password Auditing is not enabled in compliance scans by default. To use this feature, create or edit a compliance profile with the following settin:

  1. Enable Password Auditing controls

    Password Auditing - Compliance Profile
    Figure 1: Compliance Profile : Enable Password Auditing

  2. Accept the dissolvable agent

    Password Auditing - MLDA
    Figure 2: Compliance Profile : Accept Dissolvable Agent

  3. Configure a password dictionary.

    Password Auditing - Custom Dictionary
    Figure 3: Compliance Profile : Configure Custom Dictionary

Run Compliance Scan

Launch or schedule a compliance scan on the hosts that you want to scan for password auditing controls. Select a compliance profile with Password Auditing enabled, and optionally a password dictionary defined.

Add Password Auditing Controls to Policy

Add the three new password auditing controls (Control IDs 3893, 3894 and 3895) to a new or existing compliance policy. These controls are supported for Windows and Unix technologies.

Run Compliance Report

Generate compliance reports to compare the data gathered on your hosts during your compliance scan to the expected values defined in your compliance policy. Each user account that violates a Password Auditing control appears in the Actual field of your report.

Password-Auditing-Report-2

Figure 4: Compliance Report with Password Auditing controls

Demo and Technical Paper

To see a demo of these steps, please view the Password Auditing Demo.

For full technical details on Password Auditing, please download the QualysGuard Tips and Techniques, Policy Compliance: Password Auditing Document.